Irish data protection commissioner Helen Dixon has said attempts to reach agreement with other EU authorities on whether Twitter breached GDPR rules have been extremely difficult.
Speaking at the Web Summit on Thursday, Ms Dixon said the process to reach a unified agreement with other supervisory bodies had taken too long and been overcomplicated.
“It is the first time EU data protection authorities have stepped through the process so maybe it can only get better from here,” Ms Dixon said.
The Data Protection Commission, which has previously been criticised for delays in carrying out investigations against big tech companies for possible breaches, completed an inquiry into Twitter earlier this year. It circulated its draft findings to other bodies in May to allow them to have their say ahead of a final decision.
European data protection regulators have only recently reached an enforcement decision for a breach of General Data Protection Regulation (GDPR) rules by the social networking site in early 2019, with the European Data Protection Board forced to intervene due to the differing reactions to the draft decision.
The final decision, due to be announced by December 17th at the latest, will potentially mark the first time a significant fine has been levied on a tech giant under GDPR.
Dispute mechanism
Ms Dixon said that because of the co-operation and consistency mechanism under GDPR aimed at ensuring a harmonised interpretation of the law across the EU, she is unable to make a decision without other authorities. However, due to a number of objections, she had to call on the dispute mechanism to help all the parties come to an agreement.
Asked about her experience of the process, Ms Dixon made it clear it had been fraught.
“Am I satisfied? No, the process didn’t really work well,” she said.
Speaking at a separate event on Thursday, Ms Dixon said big tech companies are definitely in line for fines for privacy breaches.
“We will see fines soon enough. As to whether they’re big, that I can’t say at this point,” she told the Wall Street Journal’s Pro Cybersecurity Executive Forum.
GDPR gives data regulators powers to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.
The Irish Data Protection Commission is the lead EU regulator for companies that also include Google and Facebook under the "one-stop-shop" mechanism, which was introduced with GDPR in May 2018.